Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-2766
Publication date:
24/02/2026
Use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2026

CVE-2026-23983
Publication date:
24/02/2026
A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag.<br /> When these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data <br /> <br /> This issue affects Apache Superset: before 6.0.0.<br /> <br /> Users are recommended to upgrade to version 6.0.0, which fixes the issue or make sure TAGGING_SYSTEM is False (Apache Superset current default)
Severity CVSS v4.0: LOW
Last modification:
24/02/2026

CVE-2026-23984
Publication date:
24/02/2026
An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection.<br /> While the system effectively blocks standard Data Manipulation Language (DML) statements (e.g., INSERT, UPDATE, DELETE) on read-only connections, it fails to detect them in specially crafted SQL statements.<br /> <br /> This issue affects Apache Superset: before 6.0.0.<br /> <br /> Users are recommended to upgrade to version 6.0.0, which fixes the issue.
Severity CVSS v4.0: HIGH
Last modification:
24/02/2026

CVE-2026-2459
Publication date:
24/02/2026
A vulnerability exists in REB500 for an authenticated user with Installer role to access and alter the contents of directories that the role is not authorized to do so.
Severity CVSS v4.0: HIGH
Last modification:
24/02/2026

CVE-2026-2460
Publication date:
24/02/2026
A vulnerability exists in REB500 for an authenticated user with low-level privileges to access and alter the content of directories by using the DAC protocol that the user is not authorized to do so.
Severity CVSS v4.0: HIGH
Last modification:
24/02/2026

CVE-2026-2634
Publication date:
24/02/2026
Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-controlled pages to be presented under spoofed domains. This vulnerability affects Firefox for iOS
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2026

CVE-2026-2757
Publication date:
24/02/2026
Incorrect boundary conditions in the WebRTC: Audio/Video component. This vulnerability affects Firefox
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2026

CVE-2026-1772
Publication date:
24/02/2026
RTU500 web interface: An unprivileged user can read user management information. The information cannot be accessed via the RTU500 web user interface but requires further tools like browser development utilities to access them without required privileges.
Severity CVSS v4.0: MEDIUM
Last modification:
24/02/2026

CVE-2026-1773
Publication date:
24/02/2026
IEC 60870-5-104: Potential Denial of Service impact on reception of invalid U-format frame. Product is only affected if IEC 60870-5-104 bi-directional functionality is configured. Enabling secure communication following IEC 62351-3 does not remediate the vulnerability but mitigates the risk of exploitation.
Severity CVSS v4.0: HIGH
Last modification:
24/02/2026

CVE-2026-23969
Publication date:
24/02/2026
Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the ClickHouse engine was incomplete.<br /> <br /> This issue affects Apache Superset: before 4.1.2.<br /> <br /> Users are recommended to upgrade to version 4.1.2, which fixes the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
24/02/2026

CVE-2026-23980
Publication date:
24/02/2026
Improper Neutralization of Special Elements used in a SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters.<br /> <br /> This issue affects Apache Superset: before 6.0.0.<br /> <br /> Users are recommended to upgrade to version 6.0.0, which fixes the issue.
Severity CVSS v4.0: MEDIUM
Last modification:
24/02/2026

CVE-2026-23982
Publication date:
24/02/2026
An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset.<br /> <br /> This issue affects Apache Superset: before 6.0.0.<br /> <br /> Users are recommended to upgrade to version 6.0.0, which fixes the issue.
Severity CVSS v4.0: HIGH
Last modification:
24/02/2026
Subscribe to Vulnerabilities